The World Affairs Board is the premier forum for the discussion of the pressing geopolitical issues of our time. Topics include military and defense developments, international terrorism, insurgency & COIN doctrine, international security and policing, weapons proliferation, and military technological development.

Our membership includes many from military, defense, academic, and government backgrounds with expert knowledge on a wide range of topics. Registration is fast, simple and absolutely free so why not register a World Affairs Board account and join our community today?

How computer hacking laws make you a criminal

In 1970, a 14-year-old boy dialed into a nationwide computer network, uploaded a virus he had written and caused the entire network to crash.

That boy was Bill Gates. Five years later, he founded Microsoft.

A few years later, two young men went around college dorms in California selling boxes of wires that let students bypass telephone-company restrictions and make long-distance calls for free.

Those young men were Steve Jobs and Steve Wozniak, and a later venture they started, Apple, is now the most valuable company in the world.

In 2010, another young man, who had already founded a multimillion-dollar company, broke into a utility closet at the Massachusetts Institute of Technology.

Advertise | AdChoices

He hooked up a laptop to the campus network and downloaded 4 million academic journal articles, most of them in the public domain, from a paid archive to which he had a subscription.

He was arrested, indicted twice on multiple counts of fraud and, at a trial that was to have begun in April, could have faced 50 years in federal prison and a $1 million fine.

His name was Aaron Swartz, and last week he took his own life.

More computers, more prosecutions
The difference between the fates of Gates, Jobs and Wozniak on the one hand, and of Swartz on the other, originates with the Computer Fraud and Abuse Act.

The CFAA is a 1986 law, section 1030 of the federal criminal code, which makes any unauthorized access into a protected network or computer a federal crime and permits harsh penalties for those convicted.

But 1986 was a long time ago. Today, any Web server can be defined as a protected computer, and almost anything can be defined as unauthorized access.

If that sounds ridiculous, here's a fact: Andrew "Weev" Auernheimer, a well-known "gray hat" hacker, was convicted in November of fraud and conspiracy for harvesting data from a publicly accessible server. He's facing up to 10 years in prison at his sentencing next month.

There weren't any passwords protecting the data Auernheimer and his friend, who later testified against him, downloaded. All they did was change numbers in URLs and press "return." But according to the CFAA, they were breaking the law

"The punishments for these crimes are hugely disproportionate to the offenses listed," said Adam Goldstein, an attorney advocate at the Student Press Law Center in Arlington, Va. "We wrote these laws based on the 1980s view of the worst-case scenario of hacking in a networked world."

To Robert Graham, chief executive officer of Errata Security in Atlanta, the CFAA is "hopelessly out of date, and can be used to prosecute anybody for almost anything."

Advertise | AdChoices

"The issue is 'authorization,'" Graham said. "Back in 1986, everyone had to be explicitly authorized to use a computer with an assigned username and password.

"But today, with the Web, we access computers with reckless abandon without knowing whether we are authorized or not," he added. "When you click on a URL, you are technically in violation of the law as it was designed."

Swartz was facing more prison time than he would have if he'd committed a serious physical crime, such as assault, burglary, grand theft larceny or involuntary manslaughter.

"Why the penalties are stiffer for e-crime does not make sense," said Chester Wisniewski, an American who works as a senior security analyst in the Vancouver, British Columbia, office of the British security firm Sophos. "These penalties are more in line with murder than theft."

"There is a serious problem in federal criminal law where the use of a computer ratchets up a criminal sentence dramatically out of proportion from the harm caused," said Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation in San Francisco.

"We wrote laws designed to punish the worst monsters of William Gibson's nightmares," Goldstein said. "We're wielding them against people who download journal articles and steal naked pictures from Scarlett Johansson."

a sick and saddening story - journal articles - and mr virus is a billionaire - funding other virus writers (giving multimillion dollar "research" contracts to several notorious virus writers) while squashing Linux with cash to certified MS engineers (a 500$ credit for agreeing to not install or support Linux)...

Is there a crueler way to kill someone than to drive them to kill themself?

It reminds of a satirical Family Guy episode - BG is flying along with his cronies (they can fly w/o mechanicial assistance in the spoof) and they look down at the people "they look like ants" says Ted Turner - "They are ants" says BG...

I don't think it was really that stretched from what these people actually believe about "commoners"... Our laws and justice system seem to support their elitism.

Last edited by USSWisconsin; 18 Jan 13, at 20:13.

"If your plan is for one year, plant rice. If your plan is for ten years, plant trees.
If your plan is for one hundred years, educate children."

This article, like many others, makes it sound as if he was facing a 50 year sentence and $1 million in fines. He wasn't. The truth is he was offered a plea bargain of 6 months in a minimum security facility before he killed himself.

Since I'm not planning on breaking and entering anyone's property and hacking their system to steal data, or have heard any incidents of people being charged for checking facebook from work, I'm not too worried about being convicted under the CFAA.

JSTOR is a digital repository that archives content from journal articles, manuscripts, GIS systems, and scanned plant specimens and disseminates it online.[60] Swartz was a research fellow at Harvard University, which provided him with a JSTOR account. Additionally, visitors to MIT’s “open campus” were authorized to access JSTOR through its network.
According to state and federal authorities, over the course of a few weeks in late 2010 and early 2011 Swartz downloaded a large number of academic journal articles from JSTOR through MIT’s computer network. The authorities say Swartz downloaded the documents through a laptop connected to a networking switch in a controlled-access wiring closet.
According to press reports, the door to the closet was kept unlocked.

This article, like many others, makes it sound as if he was facing a 50 year sentence and $1 million in fines. He wasn't. The truth is he was offered a plea bargain of 6 months in a minimum security facility before he killed himself.

Since I'm not planning on breaking and entering anyone's property and hacking their system to steal data, or have heard any incidents of people being charged for checking facebook from work, I'm not too worried about being convicted under the CFAA.

And if he didn't except that plea bargain was he facing 50yrs and $1million fine?

JSTOR is a digital repository that archives content from journal articles, manuscripts, GIS systems, and scanned plant specimens and disseminates it online.[60] Swartz was a research fellow at Harvard University, which provided him with a JSTOR account. Additionally, visitors to MIT’s “open campus” were authorized to access JSTOR through its network.
According to state and federal authorities, over the course of a few weeks in late 2010 and early 2011 Swartz downloaded a large number of academic journal articles from JSTOR through MIT’s computer network. The authorities say Swartz downloaded the documents through a laptop connected to a networking switch in a controlled-access wiring closet.
According to press reports, the door to the closet was kept unlocked.

So why wasn't he charged for breaking and entering by the local police? Why instead was he charged with multiple federal crimes? I really don't see where your going with this.

breaking and entering

n. 1) the criminal act of entering a residence or other enclosed property through the slightest amount of force (even pushing open a door), without authorization. If there is intent to commit a crime, this is burglary. If there is no such intent, the breaking and entering alone is probably at least illegal trespass, which is a misdemeanor crime. 2) the criminal charge for the above.
See also: burglary trespass

He WAS arrested on state breaking and entering charges. The charges were dismissed after the Feds indicted him and worked up their own case. It's in your own link.

I just find the article misleading and overly dramatic. I'm not worried about potential CFAA charges for the reasons I stated above. I just don't see breaking and entering and hiding a laptop with a spoofed address to steal data the same as logging into facebook from work, as the article is trying to suggest. It's a stupid argument.

IMO, any prison time for what he did, as a first offence, was unwarrented. Perhaps probabtion, loss of access, a fine, or community service. Who was harmed? What damage was done? What would this have cost them if they hadn't found out about it?

On the other hand, someone nearly kills dozens of people and destroys a billion dollar SSN and they get 17 years. This guy was facing 50 years a million dollar fine and had to accept 6 months in federal prison in a "plea bargin"? For downloading journals? The closet wasn't locked - so he was granted access. Perhaps he should have been expelled or suspended from using these facilities - but federal prison for 6 months?

Perhaps the starting sentance should have been a year in prison and should have been reduced to a year of probation and community service, with his access priveleges revoked for a longer period.

"If your plan is for one year, plant rice. If your plan is for ten years, plant trees.
If your plan is for one hundred years, educate children."

IMO, any prison time for what he did, as a first offence, was unwarrented. Perhaps probabtion, loss of access, a fine, or community service. Who was harmed? What damage was done? What would this have cost them if they hadn't found out about it?

On the other hand, someone nearly kills dozens of people and destroys a billion dollar SSN and they get 17 years. This guy was facing 50 years a million dollar fine and had to accept 6 months in federal prison in a "plea bargin"? For downloading journals? The closet wasn't locked - so he was granted access. Perhaps he should have been expelled or suspended from using these facilities - but federal prison for 6 months?

Perhaps the starting sentance should have been a year in prison and should have been reduced to a year of probation and community service, with his access priveleges revoked for a longer period.

I'm really a bit surprised this keeps coming up... why do you people think you're entitled to enter and do anything you want if a door isn't locked? If he was entering someone's unlocked dorm room on this same "open campus" and stealing their stuff it would be ok because the door wasn't locked? WTF?

No, he wasn't granted access. He snuck into a network room in the basement, connected his laptop to a network switch and then hid the laptop, and snuck in again later to retrieve it. This room is not a public network access point, and he knew that.

I'm really a bit surprised this keeps coming up... why do you people think you're entitled to enter and do anything you want if a door isn't locked? If he was entering someone's unlocked dorm room on this same "open campus" and stealing their stuff it would be ok because the door wasn't locked? WTF?

Because 50 years is way too much for entering unlocked room compared to some other sentences.

No, he wasn't granted access. He snuck into a network room in the basement, connected his laptop to a network switch and then hid the laptop, and snuck in again later to retrieve it. This room is not a public network access point, and he knew that.

Even if so, the penalty he alegedly faced is way too high. Why you can't understand this point?

No such thing as a good tax - Churchill

To make mistakes is human. To blame someone else for your mistake, is strategic.

Because 50 years is way too much for entering unlocked room compared to some other sentences.

Who was giving him 50 years for entering an unlocked room? He was charged with 13 counts that didn't even include the illegal entry afaik, so I'm not sure what you're even talking about. Regardless, the sentence wasn't what I was discussing. It was the suggestions that he did nothing wrong because a door was unlocked. It's totally absurd.

Even if so, the penalty he alegedly faced is way too high. Why you can't understand this point?

I understand that point. However, that wasn't the point I was arguing.

JSTOR is a digital repository that archives content from journal articles, manuscripts, GIS systems, and scanned plant specimens and disseminates it online.[60] Swartz was a research fellow at Harvard University, which provided him with a JSTOR account. Additionally, visitors to MIT’s “open campus” were authorized to access JSTOR through its network.[61]

Wikipedia

If he had access to this data, how was it stealing? It was misuse of his access, and most likely was a violation of the terms and conditions.

It was the suggestions that he did nothing wrong because a door was unlocked. It's totally absurd.

Where did someone say he did nothing wrong?

"If your plan is for one year, plant rice. If your plan is for ten years, plant trees.
If your plan is for one hundred years, educate children."